There are four flows defined in the specification:
- Authorization code flow:
- One-time code issued to client
- Client redeems code for access token
- Access and ID token
- Used for server-side apps
- Authorization code flow with proof key for code exchange (PKCE) for native/mobile applications
- Client credentials flow:
- Authenticates the client, not the user
- Client receives an access token for itself
- Does not support refresh tokens
- Recommended for client applications with no end user (machine-to-machine communication)
- Resource owner password flow:
- Client collects username/password from user
- Exchange username/password for access token
- Used if you control the client application and the resource
- Typically used in online services, where the online service client app talks with the own service
- Implicit flow:
- Client is untrusted (public)
- No refresh token issued
- Recommended to use for Single Page Applications (SPA)
You can use the following resources to deploy several OAuth 2.0 examples with your on-premise ADFS infrastructure:
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/development/native-client-with-ad-fs
Work through the following examples with Azure AD to get deeper into the different flow types:
- OAuth 2.0 implicit grant flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-implicit-grant-flow
- OAuth 2.0 auth code grant flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
- OAuth 2.0 On-Behalf-Of flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow
- OAuth 2.0 client credentials flow: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow
The next section provides you with information about the authorization code flow.